security oriented feedback on high traffic web site
play

Security oriented feedback on high traffic web site Bruno Michel - PowerPoint PPT Presentation

Feb 21, 2023 •244 likes •560 views

LinuxFr.org Security oriented feedback on high traffic web site Bruno Michel nono@linuxfr.org Benot Sibaud oumph@linuxfr.org Webmasters 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  1. LinuxFr.org Security oriented feedback on high traffic web site Bruno Michel – nono@linuxfr.org Benoît Sibaud – oumph@linuxfr.org Webmasters 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  2. LinuxFr.org French speaking news website about free software 11 years old website, with benevolent team high traffic web site (14M visits/year, 37000 accounts, 4000 active accounts, pagerank 7) news reused by other medias stores personal data (email, lastname/forname, sessions IP, passwords, etc.) many users have IT skills 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  3. LinuxFr.org 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  4. LinuxFr.org (see LSM 2008 “10 years of LinuxFr.org” for details...) 1998: first LinuxFr.org (LAMP) 2000-2002: daCode CMS (PHP3/4, GPL) used (was used by x.org) 2002-now: templeet framework (PHP4/5, GPL) + our templates in templeet+javascript 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  5. This talk About: ● LinuxFr.org from a security point of view ● gives a lot of experience in the security area ● security problems disclosure ● no security by obscurity Not about: ● non security related software/hardware failures ● legal aspects (libel, hate speech, etc.) ● lamers filtering (captcha, karma system, multiple accounts detection, etc.) or content (pre/post)moderation 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  6. Security info leak: not so secret session with 2 cookies md5 and unique_id unique_id 32 randomized alphanum char md5 md5sum(concat(SECRET, unique_id)) = session id Compare user md5 cookie & server md5sum Each user: several sessions, can close each session md5 used to protect from random generator prediction 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  7. Security info leak: not so secret Failure: SECRET was a MD5.txt file, in the DOCUMENT_ROOT Effect: useless md5 cookie Exploit: indexed by webcrawlers, available with something like 'site:linuxfr.org MD5.txt' Fix: generate a new MD5.txt, outside DOCUMENT_ROOT, purge sessions 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  8. Social Engineering 2 ingredients A rumor than closing accounts doesn't work Curious users Alternative version: A 'click here' link (or more evil, 'do not click here') (closing account is not purging account, but you need an admin to get your account back) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  9. Social Engineering Effect: several users closed their accounts Exploit: a simple comment with a link Fix: Inform users Added a confirmation on that page 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  10. Social engineering/XSS: board worm A chat via web (the LinuxFr.org board ) Free space, where many links are posted (and clicked) Sort of playground http://badguy.invalid/davirusboard/ [ 16:25:22 ] user4 – What a great link [url] [ 16:25:13 ] user3 – Huh, what the f*ck? [ 16:25:03 ] user3 – What a great link [url] [ 16:24:17 ] user2 – What a great link [url] [ 16:23:48 ] user1 – What a great link [url] 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  11. Social engineering/XSS: board worm Failure: automatic form submit on load + no confirmation on user action + user cookies Effect: unwanted post on the daCode board Exploit: <html> <head><title>DaVirusBoard</title></head> <body onload="document.form.submit()" > <form name="form" method="post" action="http://linuxfr.org/board/add.php3" > <input type="hidden" name="message" value="What a great link. http://badguy.invalid/davirusboard/" > </form> </body> </html> 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  12. Social engineering/XSS: board worm Fix (10/2002): check REFERER only HTTP POST ask confirmation for sensitive actions (news moderation, admin functions, account deletions...) full code check (unique token for each form... not implemented) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  13. XSS on daCode news.php3 User input in news submission was filtered to a subset of HTML tags. But is this enough? 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  14. XSS on daCode news.php3 Failure: users can inject javascript in the src or data attribute (<img>, <object>, ...) Effect: XSS can be used to steal sessions and to gain privileges Fix (09/2002): + $table['body'] = preg_replace('/(src|data)([\s])?=(["\'\s])?javascript:/i','', $table['body']); 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  15. XSS again on the cuthtml function The cuthtml function in templeet is used for cutting HTML texts... but also for cleaning it: ● makes HTML well-formed ● deletes not-allowed tags (like <iframe>) ● deletes not-allowed attributes But is this enough? 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  16. XSS again on the cuthtml function Failure: users can inject javascript in the href attribute of an <a> tag. Effect: XSS can be used to steal sessions and to gain privileges Fix (10/2005): - if (preg_match("/^[\"']?\s*javascript:/i",$value)) + $decodevalue = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $value); + $decodevalue = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $decodevalue); + + if (preg_match("/^[\"']?\s*(?:javascript|vbscript|mocha|livescript):/i", $decodevalue)) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  17. XSS via USER_AGENT A chat via web (the board) [ 16:25:22 ] user4 – Huh? 16:23:48 [ 16:25:13 ] user3 – Oops my keyboard is blo [ 16:25:03 ] user3 – I've nothing to tell [ 16:24:17 ] user2 – LinuxFr.org is a great site [ 16:23:48 ] user1 – blabla [ 16:23:48 ] Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.20) Gecko/2008 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  18. XSS via USER_AGENT Failure: users can inject HTML (and javascript) via USER_AGENT Effect: XSS can be used to steal sessions and to gain privileges Fix: use htmlentities() to escape HTML for all user inputs (and addslashes() for SQL parts) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  19. Personal data leak: CSRF Generated js/admin.js adds the user email in a <div> via document.write() Called in each page header Generated js/users_admininfo.js do the same thing with all user personal data Called in the user page 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  20. Personal data leak: CSRF Failure: Javascript Cross-Site Request Forgeries Direct access to some .js files and DOM reading to get info Effect: personal data leak 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  21. Personal data leak: CSRF Exploit: <div style="display:none;" > <div id="logindelete" ></div> <script src="https://linuxfr.org/js/admin.js" ></script> <script> display_authbox(); var matches = document.getElementById('login'). innerHTML.match(/>[^@<>]*@[^<>]*</); var email = matches[0].slice(1, -1); </script> </div> <p> Email: <script> document.write(email); </script></p> Fix (2008/07): email removed from admin.js and /js/users_admininfo.js => /js/users_admininfo,T3VtcGg=.js (salt) 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  22. Session hijacking: random generator The site was using daCode 1.4 CMS (and our webmasters were the daCode developpers) makerand() was used to generate session id, calling srand() with an int argument. 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  23. Session hijacking: random generator Failure: things went in PHP4. But in PHP3, if seed ≥ 2 31 , signedness problem, (half a day) the seed and the generated id were constant. Effect: half a day, you could easily guess one session. And due to session id uniqueness, only the first one could connect. Exploit: just forge a cookie half a day Fix (2002/10): stop using bogus PHP3 (!), handle signedness for srand() 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

  24. Session hijacking: random generator (again) Two sites using daCode CMS. A user mistakenly copy its session cookie from the wrong site... and gets a valid session! (info coming from one of our users, thanks kadreg) How unlikely: sessionID = 20 alphanum char, about (26+26+10) 20 occurrences, ~7x10 35 2009/07/09 LSM 2009 LinuxFr.org: security oriented feedback on high traffic web site

Recommend

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp;

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &amp; Approaches Security: Challenges &amp; Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time

MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time

2011 GEORGIA GOVERNORS TOURISM CONFERENCE MARKETING PRESENTATION ExploreGeorgia.org Highlights 82% of site traffic is first time visitors Site traffic this year is up by more than 20% To date for 2011, traffic has

752 views • 40 slides
Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback

Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback

CS1007: Object Oriented Design and Programming in Java Lecture #5 Jan 31 Shlomo Hershkop shlomo@cs.columbia.edu 1 Outline Feedback UML More UML and OOD Reading Chapter 2 2 1 Feedback If you feel that the pace

839 views • 31 slides
Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On

Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On

ENICS -Emerging Nanoscaled Integrated Circuits and Systems Labs Security oriented codes: What we know and what we dont Osnat Keren Bar-Ilan University On security oriented codes Outline Fault injection attacks &amp; HW countermeasures

878 views • 20 slides
TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions Estimate future conditions Determine traffic impact Recommendations SITE LOCATION AND STUDY INTERSECTIONS FUTURE SITE

119 views • 10 slides
Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic

Green Lights Forever: Analyzing the Security of Traffic Infrastructure RAJSHAKHAR PAUL Outline Introduction Anatomy of a Traffic Infrastructure Case Study Threat Model Types of Attack Recommendation Broader Lesson Conclusion Outline

777 views • 36 slides
Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November

Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November

Pen enn Man anor r High h Sc School ol De Design n Upda date te Board Meeting November 6, 2017 Crabtree, Rohrbaugh &amp; Associates, Architects AGENDA Site Plan Floor Plans Exterior Questions? SITE PLAN Organized Traffic

705 views • 22 slides
The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang

The Traffic Monitoring Portal Site The Traffic Monitoring Portal Site Jungu Kang Jungu Kang jgkang@ certcc.or.kr jgkang@ certcc.or.kr KrCERT/CC KrCERT/CC KrCERT/CC, KISA Contents Contents I. Methodology to predict incidents II.

635 views • 14 slides
Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and

Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and

Outline Feedback Background CS1007: Object Oriented Design Arrays Scopes and Programming in Java Static Method Overloading Basic classes Constructors Lecture #3 Useful tools T 1/24 Exception

708 views • 14 slides
1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions

1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions

TRAFFIC AND PARKING STUDIES 1 PARROTT DRIVE SHELTON, CT JUNE 4, 2020 TRAFFIC STUDY Review existing conditions Estimate future conditions Determine traffic impact Recommendations SITE LOCATION AND STUDY INTERSECTIONS FUTURE SITE

95 views • 9 slides
Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded

Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded

Modeling Nonlinear Systems Using a Volterra Feedback Model Maarten Schoukens, Fritjof Griesing Scheiwe Benchmarks Cascaded Tanks Bouc-Wen Block-Oriented Modeling? Block-Oriented Modeling Block-Oriented Modeling Block-Oriented Modeling Pros

758 views • 29 slides
Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current

Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current

Work Site Traffic Management Practice Review Progress Update and Options for Changes to Current Practice Project Brief Review current work site traffic management practices in Queensland with a view to improving value for money and

421 views • 18 slides
Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1

CS1007: Object Oriented Design and Programming in Java Lecture #5 Sept 20 Shlomo Hershkop shlomo@cs.columbia.edu Outline Feedback More UML and OOD Reading Chapter 2 Next Chapter 3 1 Feedback Lots of UML

422 views • 24 slides
25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more

25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more

25 th April Traffic Group Update Dual Objectives To assess the impact on traffic for one or more of the site(s) selected for/by developers To assess a number of traffic management options that could be used in conjunction with

628 views • 34 slides
Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and

Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and

Keepers Paddock, Middlemarsh High Risk Illegal Waste Site 590_11_SD15 Introduction Site operated by father and son Site occupied for five years Small rural location, 10 miles from Dorchester on main A352 road to Sherborne Formally a stable

1.67k views • 31 slides
Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40

Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40

Neighborhood Traffic Mitigation Meeting #10 September 28, 2017 5:30 Welcome 5:40 Status of pilot 5:55 Overview of community feedback 6:15 Traffic study analysis 6:35 Committee discussion 7:10 East

177 views • 15 slides
IDITAROD ELEMENTARY SCHOOL BDC 03 | Program, Site &amp; Plan Review McCool Carlson Green

IDITAROD ELEMENTARY SCHOOL BDC 03 | Program, Site &amp; Plan Review McCool Carlson Green

IDITAROD ELEMENTARY SCHOOL BDC 03 | Program, Site &amp; Plan Review McCool Carlson Green Anchorage, AK Design Activities Focus Group Feedback Learning Signature Feedback Survey &amp; Site Investigation Utility Analysis IDITAROD ELEMENTARY

306 views • 9 slides
November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and

November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and

City Council Meeting November 12, 2013 1. Staff seeks Council feedback on the draft capital- oriented strategies and measures of effectiveness. 2. Council input informs the Transportation Commissions identification of speed &amp; reliability,

513 views • 32 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
NANOG 27, Phoenix, AZ February 2003 Vendors Please Pay Attention Security Security

NANOG 27, Phoenix, AZ February 2003 Vendors Please Pay Attention Security Security

Vijay Gill vijaygill9@aol.com NANOG 27, Phoenix, AZ February 2003 Vendors Please Pay Attention Security Security Routers are optimized for traffic through the hardware - Not traffic for the hardware Designing a cost efficient

314 views • 12 slides
SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as

SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as

Japan-Austria Joint Workshop on ICT October 18-19 2010, Tokyo, Japan SECTET SECTET Model driven Security of Service Oriented Systems y y based on Security as a Service Basel Katt , Ruth Breu, Mukhtiar Memon and Michael

646 views • 26 slides
High School Site 80-H-SW-4 Welcome! This meeting will begin shortly. 1 1 High School Site

High School Site 80-H-SW-4 Welcome! This meeting will begin shortly. 1 1 High School Site

August 12, 2020 40% Construction Community Meeting High School Site 80-H-SW-4 Welcome! This meeting will begin shortly. 1 1 High School Site 80-H-SW-4 Meeting Agenda August 12, 2020, 5:00 PM Welcome School Board Member: Linda Kobert

635 views • 41 slides
Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web Security for the World-Wide Web (WWW) New vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), Session Hijacking, and Cross-site

854 views • 57 slides
LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site Request Forgery Cross-Site Requests Same-site request if local page makes HTTP request Request sent to other site called cross-site request

750 views • 62 slides

More recommend